-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKI: ACME request not signed by Let's Encrypt but by our internal CA? #2487
Comments
(In case it could be important, I should explicitly say that |
Even if I set only pki_default_realms:
- name: 'foo.example.net'
acme: True
# This `www` is actually *not* added to SAN!
# X509v3 Subject Alternative Name:
# DNS:foo.example.net
acme_subdomains: [ 'www' ]
acme_ca: 'le-staging-v2'
# Have to unset default_subdomains, otherwise `*.foo.example.net` is added to SAN.
# X509v3 Subject Alternative Name:
# DNS:foo.example.net, DNS:*.foo.example.net
default_subdomains: [] openssl x509 -noout -text -in /etc/pki/realms/foo.example.net/default.crt
#...
Issuer: O = My Organisation, OU = Domain CA, CN = My Organisation Domain CA |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Until now, I was only using the (great) internal CA of debops.pki. But today, on one machine, I need both the internal CA's cert (say
example.com
, from default realmdomain
), and a Let's Encrypt one (example.net
, from this host realm). So in the inventory of this host, I added:But when I run the PKI role on this host, this realm
example.net
's cert is created, but it's signed by our internal CA, not by Let's Encrypt! (and it's Subject Alternative Name includes the defaultdomain
realm wildcard, although theacme_subdomains
does not include it)openssl x509 -noout -text -in example.net/default.crt ... Issuer: O = My Organisation, OU = Domain CA, CN = My Organisation Domain CA Subject: CN = example.net ... X509v3 Subject Alternative Name: DNS:example.net, DNS:*.example.net
Moreover, if I run again the role, then the task
Sign certificate requests for current hosts
now always fails:Which is actually expected, because this CA signs domains under
example.com
, notexample.net
. But why this task successed at the first run of the role?!What am I missing?
The text was updated successfully, but these errors were encountered: